Russian ISPs blocked Google News as tension with the Wagner Group mounted. Ukrainian hacktivist auxiliaries break into Russian radio broadcasts. New EU sanctions are directed against Russian IT firms. Transparent Tribe resurfaces against Indian military and academic targets. Unauthorized access continues to be the leading cause of data breaches. A trojanized Super Mario Brothers game spreads malware. Rick Howard speaks with director of Amazon security, Jenny Brinkly. Paul Rebasti of Lockheed Martin describes the Code Quest competition. And law enforcement agencies seize the web domain of BreachForums.

I’m Dave Bittner with your CyberWire intel briefing for Monday, June 26th, 2023.

Russian ISPs blocked Google News as tension with the Wagner Group mounted Friday.

Internet observatory Netblocks found that five Russian ISPs blocked Google News on Friday as tensions between the Wagner Group and the Ministry of Defense rose during the run-up to the Wagnerites' abortive march on Moscow. Google News has been blocked before, the New York Times observes, most prominently in March of 2022, when Roskomnadzor announced an interdict of the service after Google blocked some online content that spread disinformation in support of Russia's war against Ukraine.

The Wagner Group’s march on Moscow may have been abandoned yesterday, but internal tensions remain high. Expect information operations to remain prominent in coming days, and see the coverage on the CyberWire dot com for daily updates on the hybrid war in Ukraine.

Ukrainian hacktivist auxiliaries break into Russian radio broadcasts.

Radio Free Europe | Radio Liberty reports that Ukrainian operators have increasingly hacked into Russian radio broadcasts to insert pro-Ukrainian messages. When the current wave began in early June, the message was that Russia had declared full mobilization and martial law in response to a large-scale invasion of Russia. Outrageous as they were, the messages gained enough traction to draw an official denial from Kremlin spokesman Dmitry Peskov.

New EU sanctions are directed against Russian IT firms.

Computing reports that the eleventh round of European Union sanctions enacted against Russia will hit that country's IT sector particularly hard. The European Council singled out companies holding a license from the FSB authorizing them to work "at the Russian security level of 'state secret' as well as companies holding a "weapons and military equipment license from Russia's Ministry of Industry and Trade. It's not just their work on conventional military systems that puts them on the EU's list. "The Council has also assessed that information warfare constitutes a key means by which Russia implements its war of aggression against Ukraine and commits gross violations of international law and the principles of the Charter of the United Nations."

Transparent Tribe resurfaces against Indian military and academic targets.

SideCopy, a subdivision of the Pakistan-aligned threat actor Transparent Tribe, is targeting the Indian army and India’s education sector. Researchers at Seqrite said in their report on the activity, “There are three infection chains with themes utilized: DRDO’s ‘Invitation Performa,’ which is part of its Defence Procurement Procedure (DPP), a honeytrap lure, and also the Indian Military with ‘Selection of Officers for Foreign Assignments’ theme. The ongoing campaign came to light after a senior DRDO scientist was arrested for leaking sensitive information to Pakistani agents who honey trapped him.”

Report: Unauthorized access is the leading cause of data breaches for the fifth year in a row.

ForgeRock’s 2023 Identity Breach report was released on June 22nd and it shows that at least 1.5 billion user records were exposed in 2022. 53% of all breaches that occurred in 2022 were from third party organizations and cost on average 9.4 million dollars per breach. Unauthorized access, responsible for 49% of the data breaches (which is actually down a bit from recent history) was determined to be the leading cause of breaches for the fifth consecutive year. Ransomware, however, at 34%, is on the rise. ForgeRock blames companies’ misconfiguration of cloud services, firewalls, and human error as the major factors contributing to the breaches. 

The healthcare industry seems to have been the most heavily affected in 2022, showing a 12% increase from 2021’s attacks, with education and financial services in second and third place respectively. ForgeRock says this mirrors the headlines regarding data breaches. One sector the report calls out is insurance. “Despite being a highly regulated part of the financial services sector, the insurance industry is increasingly being targeted by cybercriminals. They exploit the vast amounts of PII stored in outdated systems, the lack of user training, and the slow adoption of strong authentication. In 2022, while attacks on the financial services sector decreased by 28.6% compared to the previous year, nearly half (47%) of all breaches affected the insurance industry.” ForgeRock also found that generative AI was a leading factor in allowing threat actors to create higher quality phishing schemes, and other forms of social engineering like malicious voice and video impressions. 

To counter this rise in data breaches ForgeRock recommends that, along with implementing passwordless authentication and implementing a zero trust framework, companies should “leverage AI and intelligent decisioning for all identities across the identity life cycle.” Ultimately, as the use of generative AI in malicious attacks grows, the ability of a customer or employee to detect such attacks shrinks. Using AI as a defensive measure for pattern recognition and incident response may offer some promise in protecting accounts.  

Trojanized Super Mario Brothers game spreads SupremeBot malware.

A Trojanized version of the Super Mario game installer is being used to deliver the XMR cryptominer, the SupremeBot mining client, and the Umbral stealer, according to researchers at Cyble. The researchers explain, “Threat Actors (TAs) use game installers to spread various malware because games have a wide user base, and users generally trust game installers as legitimate software. The social engineering tactics that TAs use exploit users’ trust and entice them to download and run malicious game installers. The large file size and games’ complexity provide TAs opportunities to hide malware within them.” The researchers add, “This incident highlights another reason TAs utilize game installers as a delivery mechanism: the powerful hardware commonly associated with gaming provides valuable computing power for mining cryptocurrencies.” 

OK, you might say, it’s just crypojacking, but that can mean game over for your device’s resources. Like being snaffled up by a buncha Koopa Troopas, bro’.

Law enforcement agencies seize BreachForums' web domain.

And, finally, here’s another story with a gamer reference.

Three months after apprehending alleged BreachForums impresario Pompompurin (his name, IRL is Conor Fitzpatrick) on a range of cybercrime charges, US authorities have seized the illicit service's web domain. As is customary in such takedowns, the domain now displays a banner saying that the site is under new management, specifically the FBI, the Office of Inspector General at the Department of Health and Human Services, and the Department of Justice, acting under a warrant issued by the US District Court for the Eastern District of Virginia. The action against BreachForums was both interagency and international. The Bureau shares credit for the operation with the US Secret Service, Homeland Security Investigations, the New York Police Department, the US Postal Inspection Service, the Dutch National Police, the Australian Federal Police, the U.K. National Crime Agency, and Police Scotland. 

BleepingComputer points out that the Bureau did a bit of visual crowing: the image of Pompompurin (a golden retriever from the Hello Kitty universe) that graced the site now sports a pair of handcuffs.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.

 

Don’t forget to check out the “Grumpy Old Geeks” podcast where I contribute to a regular segment with Jason and Brian on their show for a lively discussion every week. You can find “Grumpy Old Geeks” where all the fine podcasts are listed.

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by the CyberWire’s editorial team. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.

Selected reading.

Ukraine at D+487: After the march on Moscow. (CyberWire)

Ukraine at D+486: The march on Moscow is over. (CyberWire)

Ukraine at D+485: “We are dying for the Russian people.” (CyberWire)

U.S. spies learned in mid-June Prigozhin was planning armed action in Russia (Washington Post) 

Google News Blocked in Russia as Feud With Mercenary Leader Intensifies (New York Times)

Air War: Pro-Ukraine Hackers Increasingly Breaking Into Russian Broadcasts With Anti-Kremlin Messages (RadioFreeEurope/RadioLiberty)

Fresh EU sanctions hit Russian IT firms (Computing)

Pakistan based hackers target Indian Army, education sector in new cyber attack (Telangana Today)

Pakistan-based hackers target Indian Army, education sector in new cyber attack (PGURUS)

‘Transparent Tribe’ comes out of hiding (Pune Times Mirror) 

2023 ForgeRock Identity Breach Report (ForgeRock)

Trojanized Super Mario Game Installer Spreads SupremeBot Malware (Cyble)

Trojanized Super Mario game used to install Windows malware (BleepingComputer)

FBI seizes BreachForums after arresting its owner Pompompurin in March (BleepingComputer)